Slack, the company behind the team communication tool by the same name, revealed on Friday that its database was compromised by hackers during a four-day period in February.
No financial or payment information was accessed or compromised although other sensitive information including user names, e-mail addresses and one-way encrypted (hashed) passwords were accessible during the incident. Additional information at risk includes any other optional profile information such as phone numbers and Skype IDs.
Because Slack’s hashing function is bcrypt with a randomly generated salt per-password, it would be impractical (albeit not impossible) for a hacker to decrypt. The Verge was able to further confirm that team message history wasn’t accessed.
The company said they started communicating with affected teams as soon as the evidence was uncovered and an announcement was made as soon as they could confirm the details and type out a blog post. Slack added that they’ve been working around the clock to examine, rebuild and test each component of their system to ensure the vulnerability has been patched. Law enforcement officials have also been notified.
A very small number of Slack accounts have surfaced with suspicious activity. Slack said they’ve notified these individual users and team owners to share details with their security teams.
In addition to patching the vulnerability, Slack has rolled out two-factor authentication which they encourage all users to enable. Additionally, the company has introduced a password kill switch for team owners that allow them to instantaneously terminate all user sessions for all team members and reset all passwords.